The U.S. intelligence agencies have released information about a computer virus that was used by Chinese hackers to target government agencies, corporations, and think tanks.
As per the officials, the Chinese state-backed hackers are using a new malware variant of the 12-year-old computer virus, named as "Taidoor," which was used to compromise systems as early as 2008, targeting government agencies. The threat actors deployed the malware on victim networks for stealthy remote access.
Recently, in a joint advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said that the FBI is confident that the China-sponsored cybercriminals are using "malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation."
Four samples of the Taidoor RAT (Remote Access Trojan) have been uploaded by the U.S. Cyber Command -- one of the eleven unified commands of America's Department of Defense -- on the public malware repository 'VirusTotal' to let several antivirus companies check the malware's involvement in other unattributed campaigns.
In 2012, Trend Micro in an analysis revealed that the operators of Taidoor were found to leverage socially engineered emails with malware-laced PDF attachments to target the government of Taiwan. Another security company FireEye found significant changes in its tactics in 2013. While calling Taidoor malware a "constantly evolving, persistent threat," the company said the malicious email attachments did not drop the Taidoor malware directly, but instead it "dropped a 'downloader' that then grabbed the traditional Taidoor malware from the Internet."
In 2019, NTT Security released the evidence of the backdoor which was used to target Japanese organizations via Microsoft Word documents. The experts said when a victim opens the malicious document, it executes the malware to establish the communication between the targeted system and attacker-controlled server, and then the threat actors run arbitrary commands.
The Latest Threat Advisory
As per the recent threat advisory, the technique of using tempted documents containing malware to conduct phishing attacks on organizations has not changed. The U.S. agencies claimed that Taidoor malware is installed on "a target's system as a service Dynamic Link Library (DLL) and is comprised of two files."
The agencies explained that while the first file is found to be a loader (ml.dll), it decrypts the second file (svchost.dll), and then "executes it in memory, which is the main RAT."
In addition to executing remote commands, the malware comes with features that enable it to capture screenshots, collect file system data, and carry out file operations necessary to exfiltrate accumulated information.
To avoid any kind of vulnerability, CISA has advised that users and administrators keep their operating system patches up-to-date, disable printer, and file-sharing services. It is also recommended that enforcement of a strong password policy, and taking caution when opening email attachments will help the organizations to ensure data safety.